Presidential Directives and Cybersecurity

Latest News

EPIC, Coalition Call for Investigation into FBI's Inflated Encryption Statistic: EPIC and a coalition of twenty organizations called for the Department of Justice Inspector General to investigate the FBI's "grossly inflated" statistic of encrypted devices inaccessible to law enforcement in 2017. The Washington Post reported that the FBI repeatedly stated it was locked out of 7,800 devices, but subsequent review suggested the actual number is about 1,200. The coalition wrote to the IG asking him to investigate the error, why DOJ officials used the data point after it was discovered to be incorrect, and what measures were taken to inform Congress and the public of the FBI's miscalculation. EPIC President Marc Rotenberg previously told POLITICO that the revelation was "a very serious matter" that "calls into question" the FBI's other statements about "the scope of electronic surveillance in the United States."
(Jun. 5, 2018)

EPIC to Senate: Weaknesses in Cybersecurity Threaten Both Consumers and Democratic Institutions: EPIC submitted a statement to the Senate Homeland Security Committee in advance of a hearing on "Cyber Threats Facing America." Last year, the White House National Security Strategy report set out the administration's goals for global policy. EPIC supports several of the goals in the National Strategy report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the Senate Committee to seek assurances that those goals will remain priorities for this administration. Quoting former world chess champion Garry Kasparov, EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time."
(Apr. 24, 2018)

FEC Proposes Regulation of Internet Political Ads: Today the Federal Election Commission voted unanimously, at a public meeting, to publish a proposed rule concerning transparency requirements for online political ads. The FEC noted EPIC's comments—arguing that internet companies should be held to the same standard as broadcast companies—in its proposal. The FEC will publish the proposal in the Federal Register, accept comments from the public, and then hold a public hearing on June 27, 2018. After Russian interference in the 2016 election, EPIC launched the Democracy and Cybersecurity Project to preserve the integrity of elections and democratic institutions. In comments to the FEC in November 2017, EPIC explained the "need to protect democratic institutions from foreign adversaries has never been greater...To help ensure the integrity of U.S. elections, the Federal Election Commission should not exempt technology companies from notification requirements for Internet communications."
(Mar. 14, 2018)

Senators Ask Director of National Intelligence About Russian Meddling: Today the Senate Armed Services Committee held a hearing that addressed concerns about Russian interference in upcoming elections. In his opening statement, the Director of National Intelligence Daniel Coats stated that Russia views its influence on the 2016 election as successful and emphasized the threat that Russian cyberattacks pose to U.S. democracy. Coats testified that the U.S.'s response has not been sufficient to deter Russia from interfering in the 2018 midterm elections, agreeing with testimony of Admiral Michael Rogers, the Commander of U.S. Cyber Command, in a hearing last week. Coats called the U.S.'s strategy to combat Russian interference a "whole government approach," but it concerned some Senators that there was no lead agency in charge of this effort, including Senator Mazie Hirono (D-HI) who said that it caused her to conclude that it is "not a top priority" for the President. EPIC launched a project on Democracy and Cybersecurity in response to Russian interference in the 2016 presidential election.
(Mar. 6, 2018)

SEC Issues Guidance on Cybersecurity Disclosures: The Securities and Exchange Commission has released guidance for cybersecurity risks and incidents. The SEC stated that "in light of the increasing significance of cybersecurity incidents," it is "critical" for companies to routinely report cybersecurity threats. The Commission also emphasized that corporate officers must not trade on nonpublic information. Equifax waited six weeks to notify the public of its data breach, and its executives were accused of insider trading after it was revealed that they sold Equifax stock prior to informing the public of the breach. EPIC has long advocated for mandatory breach notification. EPIC President Marc Rotenberg recently testified on data security and breach notification before the House and Senate, explaining that companies' failure to protect data threatens not only consumers but also national security.
(Mar. 5, 2018)

Senate Holds Hearing on National Security Strategy: EPIC submitted a statement to the Senate Armed Services Committee in advance of a hearing on "Global Challenges and U.S. National Security Strategy." Last year, the White House released a National Security Strategy report that laid out the administration's goals. EPIC supports many of the goals stated in the report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the committee to seek assurances that those goals will remain priorities for this administration. EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time."
(Jan. 24, 2018)

National Security Strategy Acknowledges Importance of Democratic Institutions, Privacy: The White House has released the 2017 National Security Strategy. The report underscores the importance of democratic institutions and the rule of law. The report states the “government must do a better job of protecting data to safeguard information and the privacy of the American people,” and calls out "actors such as Russia [who] are using information tools in an attempt to undermine the legitimacy of democracies.” The report also cautions that cyber policy must be pursued "In accordance with the protection of civil liberties and privacy.” EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity).
(Dec. 21, 2017)

D.C. Circuit Sets Schedule for EPIC Case to Obtain Trump Tax Returns: The D.C. Circuit Court of Appeals has set a schedule in EPIC’s case to obtain President Trump’s tax returns. EPIC previously argued that the IRS has the authority to release the records to correct numerous misstatements of fact concerning financial ties to Russia, such as President Trump’s tweet "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." The IRS recently admitted to EPIC that it has used this authority at least 10 times in one year. The schedule for the appeal was announced the same week that Congress considers sweeping tax legislation, but Congress and the public remain in the dark about the consequences of the legislation on the President’s personal finances. According to CNN, 73% of Americans favor release of the President’s tax returns. EPIC v. IRS is one of several FOIA cases concerning Russian interference in the 2016 Presidential election, including EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). EPIC’s opening brief in EPIC v. IRS is due January 24, 2018.
(Dec. 19, 2017)

EPIC Urges House Judiciary to Examine FBI Response to Russian Cyber Attacks: EPIC has sent a statement to the House Judiciary Committee ahead of Wednesday's DOJ Oversight hearing. EPIC urged the Committee to question Deputy Attorney General Rosenstein about the FBI's ability to respond to future cyberattacks concerning the 2018 elections. A recent Associated Press investigation found that the FBI, the lead agency for cyber response, did not notify U.S. officials that their email accounts were compromised during the 2016 election. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI, filed earlier this year. EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity).
(Dec. 12, 2017)

EPIC to House Committee: Privacy Safeguards Apply to Personal Data Sent to Government: In advance of a hearing on "Cyber Threat Information Sharing," EPIC has sent a statement to the House Homeland Security Committee. EPIC urged the Committee to determine whether there are sufficient protections for personal data sent to government agencies. Private companies now have legal authority to transfer data to government agencies outside traditional privacy procedures following passage of the Cybersecurity Information Sharing Act. EPIC and a broad coalition warned that the law will increase monitoring of Internet users and government secrecy. EPIC urged the Congressional committee to carefully examine the "scrubbing" techniques that are intended to remove personally identifiable information before data is transferred to federal agencies.
(Nov. 15, 2017)

Introduction

Cybersecurity encompasses an array of challenges to protect cyberspace. Cyberspace as defined by the Cyberspace Policy Review is the "interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries." The policy review goes on to define Cybersecurity policy to include "strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities." Cyberspace has become a common feature of modern society and touches almost every citizen in a number of different areas including online commerce, healthcare, financial services, and social media.

The ubiquity of cyberspace and its importance in our lives puts cybersecurity front and center as one of the more important policy issues going forward. The public deserves a debate about appropriate cybersecurity measures that includes clear and accessible explanations of the Whitehouse's cybersecurity policy. Too often cybersecurity policy is set by presidential directives that are not available to the public.

Presidential directives are similar to Executive Orders--they have the same substantive legal effect. Just like executive orders, presidential directives do not lose their legal effectiveness upon a change of administration. Presidential directives are used as an instrument of national security to affect policy in this area and generally derive from the policy papers produced by the National Security Council (NSC) that advises the president on national security issues. They are not required to be published in the Federal Register and are often highly classified. This has been the case for presidential directives pertaining to cybersecurity. The secrecy surrounding cybersecurity policy has hindered the ongoing public debate in this area.

Presidential Directives

National Security Decision Directive 145 (NSDD 145)

NSDD 145 was issued by President Reagan in 1984. The directive gave the NSA control over all government computer systems containing "sensitive but unclassified" information. NSDD 145 was followed by a second directive issued by National Security Advisor John Poindexter that extended NSA authority over non-government computer systems. In response to these directives, Congress passed the Computer Security Act of 1987 (CSA). The Act reaffirmed that the National Institute for Standards and Technology (NIST) was responsible for the security of unclassified, non-military government computer systems. CSA limited the National Security Agency to providing technical assistance in the civilian security realm.

National Security Presidential Directive 38 (NSPD 38)

NSPD 38 was issued on July 7, 2004, as the National Strategy to Secure Cyberspace. The contents of this classified directive have never been released, but prior to the issuance of NSPD 38, the Whitehouse released a different document also entitled "National Strategy to Secure Cyberspace" that detailed five priorities to secure cyberspace:

A National Cyberspace Security Response System.

A National Cyberspace Security Threat and Vulnerability Reduction Program.

A National Cyberspace Security Awareness and Training Program.

Securing Governments' Cyberspace

National Security and International Cyberspace Security Cooperation

National Security Presidential Directive 54 (NSPD 54)

NSPD 54 was implemented by President George W. Bush in January 2008. NSPD 54 was issued concurrently as Homeland Security Presidential Directive 23. The NSPD 54/HSPD 23 authorized the DHS (together with OMB) to set minimum operational standards for Federal Executive Branch civilian networks, and it empowers DHS to lead and coordinate the national cybersecurity effort to protect cyberspace and the computers connected to it. The directive also contains the Comprehensive National Cybersecurity Initiative (CNCI). The broad scheme of CNCI was described in a publicly-released 20009 document which included 12 initiatives:

Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections.

Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.

Initiative #12. Define the Federal role of extending cybersecurity into critical infrastructure domains.

On June 5, 2014, the NSA released National Security Presidential Directive 54 ("NSPD 54") to EPIC after nearly five years of FOIA litigation. NSPD 54 is the foundational legal document outlining the Comprehensive National Cybersecurity Initiative (CNCI), the federal government’s effort to coordinate cybersecurity policy across federal law enforcement, intelligence and executive agencies, as well as with other law enforcement agencies and the private sector. The previously-classified document reveals the underlying legal authority for sweeping changes to federal cybersecurity that have taken place over the last five years. Additionally, NSPD 54 contains significant differences from the previously-released description of the CNCI. For the first time, the public now has access to the document empowering federal agencies to share cybersecurity information, develop offensive cyber programs and improve automated and predictive cyber technologies. NSPD 54 provides the public with an explanation of the government's legal and policy choices regarding cybersecurity and reveals new information about the government's coordinated cybersecurity efforts.

Presidential Policy Directive 20 (PPD 20)

PPD 20 was implemented by President Obama in October 2012, but was not released to the public. However, on June 7, 2013, PPD 20 was released by The Guardian, which had received the document from NSA leaker Edward Snowden. The directive details government policy regarding offensive cyber action and instructions to compile a list of potential targets for such action. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk ..."
According to news reports, the directive gives broader power to the military to block cyberattacks and discusses what constitutes an "offensive" verses a "defensive" action with respect to cyberwar and cyberterrorism. Additionally, the directive discusses the use of cyber-operations--actions taken outside U.S. networks.

EPIC's Efforts

Freedom of Information Request for NSPD 54

EPIC submitted a FOIA request in June 2009 directed at the NSA requesting copies of the directive along with copies of any initiatives or privacy policies associated with the directive. The NSA initially made no substantive determination regarding EPIC's FOIA request. EPIC subsequently filed an administrative appeal and then the NSA released two documents that had previously been made public. Eventually, NSA also identified three relevant documents that it refused to disclose. EPIC appealed the NSA's determination and after receiving no response filed a lawsuit against the NSA.

The NSA eventually released heavily redacted versions of two of the three documents identified by the NSA as responsive to EPIC's request. EPIC appealed this decision in Federal Court, but the District Court ruled that NSPD 54 was not an agency record discoverable under FOIA. However, after EPIC appealed this decision to the D.C. Circuit Court, the NSA released the document to EPIC with minor redactions. EPIC has released NSPD 54, allowing the public to review the government’s foundational cybersecurity policy for the first time.

Freedom of Information Request for PPD 20

Immediately after the news broke that President Obama had signed a new cybersecurity directive, EPIC submitted a FOIA request directed at the NSA requesting the release of the directive. The NSA denied EPIC's request. PPD 20 became public after it was leaked to the Guardian by NSA whistleblower Edward Snowden. The directive orders the creation of potential targets for Offensive Cyber Effects Operations by the National Security Agency. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ."

Institute for Telecommunication Science (ITS is the research and engineering branch of the National Telecommunications and Information Administration, which is part of the U.S. Department of Commerce.)